Kubernetes CKS sample exam question 5 with answer - Fixing kube-bench findings

Question:

The tool kube-bench has been run against the control plane node. As part of the reporting, you received the following failure message for the API server component:

[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)

Change the configuration of the API server accordingly. Make sure that the Pod running the API server will be restarted.

Answer:

Run kube-bench again to get the remediation steps.

kube-bench

Or or just see the target ones:

kube-bench run --targets master --check 1.2.11
kube-bench run --targets master --check 1.2.20

The output will be like this one:

...
== Remediations master ==
...
1.2.11 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...
...
1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--profiling=false

So, you have the steps. Open /etc/kubernetes/manifests/kube-apiserver.yaml and make the changes:

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --enable-admission-plugins=NodeRestriction,AlwaysPullImages
    - --profiling=false
...

Now wait for API Server container to be restarted:

watch crictl ps

Run kube-bench again to check the status of the checks:

kube-bench

Or or just see the target ones:

kube-bench run --targets master --check 1.2.11
kube-bench run --targets master --check 1.2.20

Now it should be:

[PASS] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
[PASS] 1.2.20 Ensure that the --profiling argument is set to false (Automated)